quic: Avoid possible buffer overflow in find_bucket

Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>

quic: Avoid possible buffer overflow in find_bucket
Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>
b24fe6b6 · Frediano Ziglio · ef1b6ff7 · b24fe6b6
Commit b24fe6b6 authored Apr 30, 2020 by Frediano Ziglio
--- a/common/quic_family_tmpl.c
+++ b/common/quic_family_tmpl.c
@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
 {
    spice_extra_assert(val < (0x1U << BPC));

-    return channel->_buckets_ptrs[val];
+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+     * attempts. Is much faster then using comparisons and save us from such situations.
+     * Note that on normal build the check above won't be compiled as this code path
+     * is pretty hot and would cause speed regressions.
+     */
+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
 }

 #undef FNAME